That sponsorship requirement “was a barrier that a lot of cloud service providers ran into,” Thompson said, “especially on the Rev. 5 side, because it was a fairly large lift for an initial agency to grant an initial authorization and get them over to the FedRAMP process.”
The shift is designed to open the federal market to smaller and earlier-stage cloud companies that couldn’t afford the time or cost of the traditional route.
“We’re trying to get some of the cloud service providers that don’t have as much capital, especially when they’re in the startup phase, to start seeing government as one of their initial customers and not one of the far-off, like, ‘Well, eventually, when we get enough capital, we’ll go for the government market,’” Thompson said.
Lessons Learned From the 20x Pilot Program
FedRAMP ran its low-impact pilot first, walking about 10 cloud service providers through the new process. The goal was less about authorization and more about experimentation: The program placed few restrictions and let industry drive how they presented their security data.
“The first 20x pilot proved that 20x as a concept could work,” Thompson said. Thompson’s team found that cloud service providers could move from point-in-time annual security assessments to continuously available trust centers reporting security postures in near real time.
The moderate pilot, which ran from November through March, raised the bar. An initial cohort of three providers — all successful veterans of the low pilot — each received five to six hours of dedicated time with FedRAMP leadership before submitting their packages. Twelve more providers joined the program in January. Thompson said FedRAMP wanted to set up participants for success given the investment they were making “in this very experimental project that the government is running.”
Multiple providers earned moderate certifications and are now live on the marketplace.
Federal Agencies Still Adjusting to New 20x Process
Although some lucky initial cloud service providers have been successfully guided through the 20x process, federal agencies may face a steeper learning curve. Agencies accustomed to Rev. 5 packages are now encountering 20x submissions that look fundamentally different, and many authorizing officials don’t yet know how to evaluate them, Thompson said.
To that end, FedRAMP is hosting agency support groups, monthly liaison meetings, road shows to individual agencies and public community groups for both the Rev. 5 and 20x tracks.
“It looks different than what they’re used to,” Thompson acknowledged, “and so, we’re working on translating between the Rev. 5 communities and the 20x communities.”
Adoption, she said, is following a predictable curve: “In every case, you have early adopters and you have some later adopters, and that’s just normal over the course of change.” Office of Management and Budget support and the pairing of AI service authorizations with the 20x path have helped push momentum: Three AI services came through 20x exclusively, meaning agencies that want them have no Rev. 5 alternative.
LEARN MORE: How managed services can help ease AI overwhelm.
The FedRAMP-High Impact Pilot Is Still an Open Question
The one tier that Thompson and her team haven’t touched yet is the high impact pilot. This program would run for systems where, per FedRAMP guidelines, loss of life or “catastrophic adverse effect on organizational operations, organizational assets, or individuals” is on the line if security is compromised. Thompson said FedRAMP has deliberately deferred the high impact pilot while formalizing the low and moderate paths.
“I don’t even know that that’s a problem that we solve entirely with 20x, or whether Rev. 5 stays around … for a significant time period,” she said. The core challenge: 20x was built for cloud-native SaaS providers that inherit security controls from their infrastructure providers. High impact environments often involve physical data centers and infrastructure-level controls that 20x wasn’t necessarily designed to address.
FedRAMP expects to begin exploring the high impact question this fall. For now, the existing Rev. 5 process remains the only path to high impact certification.
